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Abstract 

We  present  a  new  protocol  for  the  verifiable  redistribution  of  secrets  from  (rri.n)  to  ( m\n ')  access  structures 
for  threshold  sharing  schemes.  Our  protocol  enables  the  addition  or  removal  of  shareholders  and  also  guards 
against  mobile  adversaries  that  cause  permanent  damage.  We  observe  that  existing  protocols  either  cannot 
be  readily  extended  to  allow  redistribution  between  different  access  structures,  or  have  vulnerabilities  that 
allow  faulty  old  shareholders  to  corrupt  the  shares  of  new  shareholders.  Our  primary  contribution  is  that,  in 
our  protocol,  new  shareholders  can  verify  the  validity  of  their  shares  after  redistribution  between  different 
access  structures. 
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1  Introduction 


Threshold  sharing  schemes  provide  fundamental  building  blocks  for  the  safeguarding  of  secrets  and  secure 
distributed  computation.  Since  its  invention,  many  enhancements  to  threshold  schemes  have  been  proposed. 
Proactive  secret  sharing  (PSS)  schemes  [IK tM  Y 97a.  IKiM  Y9  7H  OJKR96,  H.T.T+97.  Rab98],  for  example, 
provide  enhanced  protection  against  mobile  adversaries  |K)Y9 11|  by  updating  the  shares  periodically  in  a  dis¬ 
tributed  fashion.  In  general,  PSS  schemes  retain  the  same  shareholders  and  access  structure  across  updates. 
A  more  general  proactive  problem  is  the  redistribution  of  shares  between  different  (possibly  disjoint)  sets 
of  shareholders  and  different  access  structures,  hereafter  referred  to  as  secret  redistribution.  Secret  redistri¬ 
bution  has  been  studied  by  Desmedt  and  Jajodia  [D.I97I]  and  Frankel  et  al.  [  FGMY97a| .  In  this  paper,  we 
identify  weaknesses  in  previous  work,  and  propose  a  new  protocol  that  performs  verifiable  secret  redistribu¬ 
tion  (VSR)  between  different  shareholders  and  access  structures.  We  prove  the  security  of  our  scheme  with 
an  information-theoretic  security  proof. 

The  development  of  our  new  protocol  is  motivated  by  work  on  a  secure,  distributed  storage  system 
|IWBS+0fX  WBP+01]  that  stores  shares  of  files  (or  long-term  encryption  keys)  on  a  distributed  set  of  servers. 
For  system  management  and  security  purposes  (such  as  load  balancing  or  server  compromises),  the  system 
needs  to  generate  new  shares  and  invalidate  old  shares.  In  general,  the  ability  to  redistribute  shares  of  secrets 
between  different  sets  of  shareholders  is  useful  for  a  wide  range  of  applications.  Consider  the  following 
examples: 

Multiparty  signature  schemes:  Business  organizations  may  use  digital  signature  schemes  to  sign  legal 
documents  they  exchange  with  counterparties.  Such  schemes  are  typically  asymmetric:  an  organi¬ 
zation  generates  signatures  with  a  private  key  known  only  to  itself,  and  the  counterparties  verify 
signatures  with  a  corresponding  public  key.  To  prevent  a  single  rogue  agent  from  signing  documents 
without  proper  authorization,  the  organization  may  require  multiple  agents  to  generate  signatures  with 
a  multiparty  signature  scheme  QEHMYSZH  IFUM  Y97R  Hi.IK.K9hl  IH.T.T+971  Kah98IJ  that  distributes 
shares  of  the  private  key  to  the  agents.  Over  time,  the  organization  will  need  to  give  shares  of  the 
private  key  to  agents  who  join,  and  invalidate  the  shares  of  agents  who  leave.  Changing  the  private 
key  each  time  agents  join  or  leave  would  require  revocation  of  the  well-known  public  key.  A  better 
solution  would  be  to  redistribute  shares  of  the  private  key  in  a  way  that  invalidates  old  shares  and 
obviates  the  need  for  public  key  revocation. 

Distributed  key  servers:  Recent  distributed  storage  systems,  such  as  CFS  pDKK+0l1].  FarSite  pBUETOOfl. 
PASIS  |  WBS  '  ()(),  WBP  01 1  and  PAST  [IRDO  IIJ.  use  disk  space  on  (potentially)  untrusted  storage 
devices  to  store  data.  Clients  may  encrypt  data  before  handing  it  off  to  the  storage  system.  One  way 
for  clients  to  store  their  encryption  keys  is  to  employ  threshold  sharing  schemes  to  distribute  shares 
of  the  keys  to  a  set  of  key  servers.  Of  course,  since  clients  must  store  keys  for  as  long  as  they  store  the 
encrypted  data,  a  mobile  adversary  may  have  a  large  window  of  opportunity  to  compromise  multiple 
key  servers,  and  thus  obtain  enough  shares  to  reconstruct  the  keys.  To  counter  the  adversary,  the 
uncompromised  key  servers  could  periodically  redistribute  shares  of  the  keys  to  new,  uncompromised 
servers.  The  adversary  would  then  need  to  restart  the  process  of  compromising  servers,  assuming  that 
old  shares  cannot  be  combined  with  new  shares  to  reconstruct  the  secret. 

Both  of  these  applications  must  support  dynamic  shareholder  membership,  and  protect  secrets  from 
mobile  adversaries.  In  the  multiparty  signature  system,  agents  may  join  or  leave  the  organization,  while 
in  the  storage  system,  key  servers  may  be  added  or  removed  for  maintenance  or  security  purposes.  It  may 
also  be  advantageous  to  change  the  threshold  value  of  the  underlying  sharing  scheme  to  accommodate  new 
policies.  In  both  applications,  the  system  needs  to  retain  the  original  secrets  when  generating  new  shares 
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and  invalidating  old  shares.  More  importantly,  to  prevent  faulty  old  shareholders  from  corrupting  the  shares 
of  new  shareholders,  new  shareholders  must  be  able  to  verify  the  validity  of  their-  shares  after  redistribution 
(i.e.,  that  their  shares  can  be  used  to  reconstruct  the  secret). 

Desmedt  and  Jajodia  propose  a  protocol  to  redistribute  secret  shares  between  different  (possibly  disjoint) 
sets  of  shareholders  with  different  access  structures  [ID.I97I].  They  postulate  that  a  straightforward  extension 
of  their  protocol  with  a  verifiable  secret  sharing  (VSS)  scheme  allows  them  to  tolerate  faulty  old  sharehold¬ 
ers  and  verify  the  validity  of  new  shares.  We  show  that  such  a  naive  extension  fails,  since  it  still  allows 
faulty  old  shareholders  to  corrupt  the  shares  of  new  shareholders. 

Frankel  et  al.  propose  a  proactive  threshold  sharing  scheme  for  RSA  [1K1M  Y97al]  that  uses  a  poly- 
to-sum  redistribution  from  a  polynomial  sharing  scheme  to  an  additive  sharing  scheme,  and  a  sum-to-poly 
redistribution  from  the  additive  scheme  back  to  a  polynomial  scheme.  They  suggest  that  changes  in  threshold 
value  and  number  of  shareholders  can  be  accommodated  in  the  poly-to-sum  redistribution.  However,  their 
scheme  relies  on  public  information  distributed  in  the  preceding  round  to  verify  the  validity  of  new  shares.  If 
secret  redistribution  is  performed  among  the  same  set  of  shareholders,  verification  can  be  achieved  because 
all  shareholders  retain  the  information  from  the  preceding  round.  However,  if  redistribution  is  performed 
to  new  shareholders  who  do  not  possess  the  necessary  public  information,  faulty  old  shareholders  could 
corrupt  redistribution.  We  will  discuss  this  point  further  in  Section  £|. 

Our  key  observations  are  that: 


•  PSS  schemes  cannot  be  readily  extended  to  allow  “updates”  between  different  sets  of  shareholders 
with  different  access  structures.  Thus,  these  schemes  cannot  accommodate  the  permanent  addition  or 
removal  of  shareholders. 

•  Redistribution  protocols  have  vulnerabilities  that  allow  faulty  old  shareholders  to  corrupt  redistribu¬ 
tion  and  cause  new  shareholders  to  generate  invalid  shares. 

•  For  verification  purposes,  old  shareholders  in  a  secret  redistibution  protocol  must  pass  additional 
information  to  new  shareholders.  This  information  can  be  a  commitment  to  the  original  secret,  or 
commitments  to  the  shares  of  all  old  shareholders. 


Pinpoint  identification  and  elimination  of  faulty  old  shareholders  are  not  immediately  possible  if  re¬ 
distribution  is  to  occur  between  two  disjoint  sets  of  shareholders.  In  the  worst  case,  for  redistribution 


from  an  ( m,n )  access  structure, 
shareholders  and  complete  redistribution. 


n  —  m  +  1 
m  —  i 


restarts  are  required  to  eliminate  faulty 


We  present  a  new  verifiable  secret  redistribution  protocol  for  Shamir’s  threshold  sharing  scheme  [LShaVfilJ 
in  which  we  redistribute  secrets  from  an  (m,n)  to  (m'ji')  access  structure.  We  base  our  protocol  on  Desmedt 
and  Jajodia’s  redistribution  protocol,  in  which  new  shareholders  generate  shares  from  subshares  of  old 
shares.  We  extend  their  protocol  to  enable  new  shareholders  to  verify  the  validity  of  the  shares  they  generate. 
We  prove  that  the  new  shareholders  can  generate  valid  new  shares  if  they  can  both  verify  the  validity  of  the 
old  shares  and  that  of  the  subshares.  We  also  prove  that  an  adversary  who  obtains  less  than  m  old  shares 
and  less  than  rn!  new  shares  cannot  reconstruct  the  secret. 

We  summarize  the  operation  of  our  VSR  protocol  in  Figure  [TJ.  Returning  to  our  example  applications, 
suppose  that  we  have  distributed  shares  of  a  key,  k,  to  n  shareholders,  as  shown  in  the  Initial  phase.  A 
counterparty  wishing  to  obtain  the  signature  for  a  document,  or  a  client  wishing  to  retrieve  an  encryption  key, 
can  do  so  by  contacting  m  of  the  n  shareholders  (the  dashed  lines).  When  agents  join  or  leave,  or  when  key 
servers  are  added  or  taken  offline,  our  VSR  protocol  redistributes  k  to  a  new  set  of  shareholders,  as  shown 
in  the  Redist  phases.  Upon  the  completion  of  redistribution,  a  client  can  perform  the  same  distributed 


2 


Figure  1:  Initial  threshold  scheme  distribution  of  a  secret  k  with  an  ( m,n )  access  structure,  followed  by  redistribution 
to  an  ( m',n ')  access  structure.  The  INITIAL  phase  of  our  VSR  protocol  guarantees  that  the  shares  si  ...  sn  are  valid. 
The  Redist  phase  of  our  protocol  guarantees  that  the  shares  sj  ...  s'n,  are  valid.  The  dashed  (dotted)  lines  represent  a 
client  contacting  servers  holding  si  ...  sm  (s\  ...  s'm,).  We  can  execute  Redist  an  arbitrary  number  of  times. 


operations  by  contacting  m '  of  the  n'  new  servers  (the  dotted  lines).  The  applications  can  execute  the 
Redist  phase  as  often  as  necessary  to  ensure  the  security  and  availability  of  the  shared  secrets. 


2  Related  work 

Blakley  and  Shamir  invented  threshold  sharing  schemes  independently  [lBla79L  ISha/9l|.  In  Blakley’s  scheme, 
the  intersection  of  m  of  n  vector  spaces  yields  a  one-dimensional  vector  that  corresponds  to  the  secret.  In 
Shamir's  scheme,  the  interpolation  of  an  m  —  1  degree  polynomial  through  m  of  n  points  yields  a  constant 
term  in  the  polynomial  that  corresponds  to  the  secret.  Desmedt  surveys  other  sharing  schemes  [II  Jes9  7IJ. 

Chor  et  al.  present  a  VSS  scheme  in  which  the  dealer  and  shareholders  perform  an  interactive  secure 
distributed  computation  [KXiM  A851].  Benaloh  [IBenS’/iJ.  Gennaro  and  Micali  [GJKR96,  GM9h|,  Goldreich  et 
al.  |GMSZK2].  and  Rabin  and  Ben-Or  |!Rah94  IRB089]  propose  schemes  in  which  the  dealer  and  sharehold¬ 
ers  participate  in  an  interactive  zero-knowledge  proof  of  validity;  the  scheme  of  Gennaro  and  Micali,  and 
that  of  Rabin  and  Ben-Or,  is  information-theoretically  secure.  Feldman  and  Pedersen  [lFel87L  !Pcd9 1  ]  present 
VSS  schemes  in  which  the  dealer  broadcasts  a  non-interactive  zero-knowledge  proof  to  the  shareholders. 
Beth  et  al.  [1BKQ93I]  present  a  VSS  scheme  for  monotone  access  structures  based  on  finite  geometries.  Our 
VSR  protocol  differs  from  previous  VSS  schemes  in  that  the  multiple  “dealers”  of  the  new  shares  (the  old 
shareholders)  do  not  have  the  secret,  and  must  use  other  information  to  generate  a  proof  for  the  new  share¬ 
holders.  Also,  each  new  shareholder  verifies  the  validity  of  the  subshares  distributed  by  the  old  shareholders, 
and  verifies  the  validity  of  the  shares  used  by  the  old  shareholders  to  generate  the  subshares. 

Frankel  et  al.  |IF(iM  Y97H  1MY99.  FMY01]  and  Rabin  [IRah98l]  propose  threshold  PSS  schemes  in 
which  each  shareholder  periodically  distributes  a  subshare  of  its  share  to  all  the  other  members.  Each 
shareholder  then  combines  the  subshares  to  generate  a  new  share.  A  drawback  of  these  protocols  is  that 
the  shareholders  rely  on  commitments  received  during  the  initial  distribution  of  the  secret  to  verify  the 
validity  of  the  new  shares,  and  thus  one  cannot  redistribute  between  disjoint  sets  of  shareholders.  Also,  the 
commitments  depend  on  (m,n),  and  thus  one  cannot  redistribute  between  different  access  structures. 

Desmedt  and  Jajodia  present  a  secret  redistribution  protocol  that  does  not  require  the  intermediate  re¬ 
construction  of  the  original  secret  [11  ).I97I].  We  present  the  details  of  their  protocol  in  Section  [T2|.  Their 
protocol  allows  redistribution  between  different  (possibly  disjoint)  sets  of  shareholders  with  different  access 
structures.  Unfortunately,  a  faulty  old  shareholder  can  undetectably  distribute  “subshares”  of  some  random 
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value  instead  of  subshares  of  a  valid  old  share,  and  thus  cause  new  shareholders  to  generate  invalid  shares. 

Frankel  et  al.  propose  a  proactive  threshold  sharing  scheme  for  RSA  private  keys  [IK1M  Y97aT].  The 
protocol  uses  a  poly-to-sum  redistribution  from  an  (m,n)  to  (rn.rn)  sharing  scheme,  and  a  sum-to-poly  re¬ 
distribution  back  to  an  ( m,n )  scheme.  During  redistribution,  each  old  shareholder  broadcasts  a  commitment 
to  its  share,  which  new  shareholders  use  to  verify  the  validity  of  their  generated  share.  Unfortunately,  during 
redistribution  to  a  disjoint  set  of  shareholders,  it  is  not  enough  for  the  old  shareholders  to  broadcast  the  com¬ 
mitment  to  their  respective  shares,  since  a  faulty  shareholder  can  broadcast  a  random  “commitment.”  There 
are  two  potential  remedies  for  this  problem.  One  is  for  the  old  shareholders  to  broadcast  a  commitment  to 
the  original  secret,  which  can  be  used  to  verify  the  consistency  of  commitments  to  shares.  The  alternative  is 
for  each  old  shareholder  to  keep  and  broadcast  all  share  commitments.  We  opt  for  the  former  in  our  protocol 
because  it  is  both  space  and  time  efficient. 

Other  researchers  present  secret  redistribution  protocols  that  do  not  involve  the  physical  redistribution 
of  shares.  Blakley  et  al.  consider  threshold  schemes  that  disenroll  (remove)  shareholders  from  the  access 
structure  with  broadcast  messages  [1BBCM92I]:  the  new  shareholders  are  a  subset  of  the  old  ones.  Cachin 
proposes  a  secret  sharing  scheme  that  enrolls  (adds)  shareholders  in  the  access  structure  after  the  initial  shar¬ 
ing  10223]:  the  new  shareholders  are  a  superset  of  the  old  ones.  Blundo  et  al.  presents  a  scheme  in  which 
the  dealer  uses  broadcast  messages  to  activate  different,  possibly  disjoint,  authorized  subsets  [IBCS  V96I]. 
Blundo’s  scheme  requires  shareholders  to  have  a  share  regardless  of  whether  or  not  they  are  in  the  active 
authorized  subset,  in  contrast  to  Desmedt  and  Jajodia’s  scheme.  Our  VSR  protocol  alters  the  access  structure 
by  physical  redistribution  of  shares,  and  allows  new  shareholders  to  verify  that  they  have  valid  shares. 

Ostrovsky  and  Yung  introduce  the  concept  of  mobile  adversaries  [K)Y911|  that  corrupt  participants  in 
a  distributed  protocol  at  a  constant  rate.  Canetti  and  Herzberg  use  mobile  adversaries  to  motivate  their 
development  of  a  distributed  proactive  pseudorandom  number  generator  |KlH94l] .  Herzberg  et  al.  [HJ  KY95, 
H  I. I + 97  ]  propose  a  PSS  scheme  for  Shamir’s  sharing  scheme  [Nha79l]  in  which  each  shareholder  periodically 
distributes  update  shares  to  all  other  shareholders.  Zhou,  Schneider,  and  van  Renesse  propose  a  PSS  scheme 
for  asynchronous,  wide-area  networks,  and  employ  it  in  an  on-line  certification  authority  [ZSvROU].  Our 
VSR  protocol,  unlike  these  PSS  schemes,  can  redistribute  shares  to  arbitrary  access  structures.  However, 
we  assume  that  there  exist  reliable  broadcast  channels  among  all  participants  and  private  channels  between 
every  pair  of  participants  in  our  protocol,  which  Zhou  et  al.  avoid  in  their  asynchronous  protocol. 

We  note  that  our  VSR  protocol,  in  contrast  to  the  earlier  threshold  PSS  schemes,  can  guard  against 
mobile  adversaries  that  cause  permanent  damage  (i.e.,  that  cannot  be  undone  with  a  reboot  operation).  Of 
course,  we  still  require  that  at  any  given  point  of  time,  the  number  of  faulty  shareholders  in  the  current  set 
of  shareholders  is  less  than  the  threshold  value. 


3  Cryptographic  building  blocks 

In  this  section,  we  outline  the  cryptographic  protocols  that  form  the  building  blocks  for  our  VSR  protocol. 
We  first  recap  Shamir’s  threshold  sharing  scheme  [IS  ha/ 91].  and  then  summarize  Desmedt  and  Jajodia’s  secret 
redistribution  protocol  [ID.I97I]  and  Feldman’s  VSS  scheme  [IFel H7I] . 

3.1  Shamir’s  threshold  sharing  scheme 

Shamir's  threshold  sharing  scheme  is  based  on  polynomial  interpolation  [LSha79l].  A  secret  k  is  in  where 
p  is  prime  and  p  >  n;  shares  of  k  are  also  in  Zp.  Authorized  subsets,  A,  of  the  set  of  shareholders,  P,  are  in 
the  access  structure  A^p'n\  where  |P|  =  n  and  |A|  =  m. 

To  distribute  k  to  the  access  structure,  Apl'"'\  we  select  an  m— 1  degree  polynomial  a[x)  with  constant 
term  k  and  random  coefficients  oi  ...  am_i  £  Zp,  and  generate  shares  st  for  each  shareholder  i  £  P: 
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Desmedt  and  Jajodia’s  Secret  Redistribution  protocol: 

To  redistribute  a  secret  k,  k  £  Zp,  from  an  A^’n>  to  A p,1  ,n  access  structure,  using  the  authorized  subset  A  £  A^T"’7'1 : 

1.  For  each  i  £  A,  use  the  polynomial  aj(j)  =  s;  +  a[ t  j  +  . . .  +  )jfm  ~1  to  compute  the  subshares  Sij  of  Si, 

and  send  sl;i  to  the  corresponding  j  £  P' . 

2.  For  each  j  £  P' ,  generate  a  new  share  s'j  by  Lagrange  interpolation: 


ieA 


'i§i 


where 


n 


xeA\{i} 


{x-i) 


bi  are  interpolation  constants  that  may  be  precomputed. 


Figure  2:  Desmedt  and  Jajodia’s  secret  redistribution  protocol  [EQ33]  for  Shamir’s  threshold  sharing  scheme. 


Si  =  a(i)  =  k  +  o\i  +  . . .  +  am-iim  1  (1) 

To  reconstruct  k,  we  retrieve  rri  pairs  (i,Si)  from  i  €  A,  and  compute  k  by  Lagrange  interpolation: 


k  =  ^2  biSi  where  bi 
i£A 


n 

jeA\{i} 


j 

U  -  *) 


(2) 


3.2  Desmedt  and  Jajodia’s  secret  redistribution  protocol 

Desmedt  and  Jajodia  present  a  protocol  for  the  redistribution  of  shares  of  secrets  distributed  with  threshold 
sharing  schemes,  which  does  not  require  the  intermediate  reconstruction  of  the  secret  |D.lb7l|.  We  present 
a  specialization  of  their  protocol  for  Shamir’s  scheme  in  Figure  0.  Suppose  we  have  distributed  a  secret  k 
to  the  access  structure  and  wish  to  redistribute  k  to  the  new  access  structure  A'p,  "  ^  To  achieve 

this,  we  select  an  authorized  subset  A  6  Ap'n\  Each  shareholder  i  G  A  uses  Shamir’s  scheme  to  distribute 
subshares  iij  of  its  share  s,  to  A'p!  ,n  1  ■  Each  new  shareholder  j  S  P'  receives  from  each  i,  and  generates 
a  new  share  s'  by  Lagrange  interpolation: 


s'j  =  22  bAij  where 
ieA 


<•■=  n 

x£A\{*} 


(3) 


3.3  Feldman’s  VSS  scheme 

Feldman  presents  a  VSS  scheme  for  shareholders  of  a  secret  to  verify  the  validity  of  their  shares  [IFel871]. 
We  present  a  specialization  for  Shamir’s  scheme  in  Figure  0.  Herzberg  el  al.  present  a  similar  treatment 
[IH.IK  Y95l|. 

The  application  of  Feldman’s  VSS  scheme  to  Shamir's  scheme  takes  advantage  of  the  homomorphic 
properties  of  exponentiation,  and  of  the  assumption  that  the  computation  of  discrete  logs  in  a  finite  field  is 
intractable.  Suppose  we  have  field  Zp  and  ring  Z*,  such  that  p  and  r  are  prime  and  r  =  pq  +  1  (where  q 
is  a  non-negative  integer),  and  suppose  we  have  a  generator  g  for  Z*.  We  first  use  Shamir’s  scheme  with 
polynomial  a(x)  to  distribute  a  secret  k  <E  hp  to  the  access  structure  Apn,n\  Then,  in  addition  to  sending 
the  shares  Sj  E  Zp  to  shareholders  i  £  P,  we  broadcast  commitments  to  k  and  the  coefficients  oi  ...  am_ i 
of  a(  x)  of  the  form  gk  and  gf(  ...  ga">- 1 .  Each  i  may  then  verify  that  st  is  a  valid  share  of  k: 
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Feldman ’s  Verifiable  Secret  Sharing  scheme: 

To  distribute  a  secret  k  £  Zp  to  the  access  structure  A{pl’n'>: 

1.  Use  the  polynomial  a(i)  =  k+aii+. . .  +  to  compute  the  shares  Si  of  k,  and  send  Si  to  the  corresponding 

i  £  P  over  private  channels. 

2.  Use  generator  g  to  compute  gk ,gai  . . .  ga’Tn~1,  and  broadcast  them  to  all  i  £  P. 

3.  For  each  i  £  P,  verify  that: 

m  —  1 

gBi  —  gk  n  ^a‘  y‘ 

i=i 

If  the  condition  holds,  i  broadcasts  a  “commit”  message.  Otherwise,  i  broadcasts  an  “abort”  message. 


Figure  3:  Feldman’s  VSS  scheme  [IFelH7IJ  for  Shamir’s  threshold  sharing  scheme. 


gs^  =  g\gai)i...{9am-ir~1  (4) 

which  is  the  exponentiation  of  a(x)  (Equation  ([I])).  Assuming  that  the  computation  of  discrete  logs  is 
intractable,  no  i  can  learn  k  or  ai  ...  am_i  from  the  commitments. 


4  The  VSR  protocol 

We  present  our  verifiable  secret  redistribution  protocol  for  secrets  distributed  with  Shamir’s  scheme.  The 
protocol  receives  shares  of  a  secret  distributed  to  the  access  structure  Apn,n\  and  outputs  shares  of  the  secret 
distributed  to  a  new  access  structure  Jt'p,  We  assume  that  the  computation  of  discrete  logs  in  a  finite  field 
is  intractable,  and  that  there  exist  reliable  broadcast  channels  among  all  participants  and  private  channels 
between  every  pair  of  participants.  We  also  assume  that  there  are  at  least  m  non-faulty  old  shareholders,  at 
most  m  —  1  faulty  old  shareholders,  and  n'  non-faulty  new  shareholders. 

In  the  initial  distribution  phase  (Initial  in  Figure  [1]).  the  dealer  of  secret  k  distributes  shares  .s,;  to  each 
shareholder  i  G  P  with  the  polynomial  aii)  (Initial  step  1).  The  dealer  also  broadcasts  commitments  gk 
and  gai  ...  gam~1,  which  each  i  uses  to  verify  the  validity  of  Si  (Equation  (||),  Initial  steps  2  and  3).  If 
verification  passes,  i  stores  Sj  and  gk  (Initial  step  4). 

In  the  redistribution  phase  (Redist  in  Figure  [lj),  each  i  in  an  authorized  subset  A  e  A'p1'"1  uses 
Shamir's  scheme  (with  the  polynomial  a'(j))  to  distribute  subshares  §ij  of  its  share  s,  to  a!™,  1  (Redist 
step  1).  Each  shareholder  j  6  P'  receives  ,§,y  from  each  i,  and  generates  a  new  share  s'  (Equation  (Q), 
Redist  step  4).  We  may  redistribute  k  an  arbitrary  number  of  times  before  we  reconstruct  it. 

For  the  new  shareholders  to  verify  that  their  shares  of  the  secret  are  valid  after  redistribution,  we  require 
that  two  conditions,  SHARES-VALID  and  SUBSHARES-VALID,  hold.  When  alii  e  A  redistribute  S{  to  each 
j  E  P' ,  all  Sj  are  valid  shares  of  k  if 

SHARES-VALID: 

k  =  XasA  biSi 

SUBSHARES-VALID: 

V*  E  A,  A'  G  Ap,  ’  ^  :  Si  = 
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Verifiable  Secret  Redistribution  protocol  for  Shamir’s  sharing  scheme: 

INITIAL:  To  distribute  a  secret  k  £  Zp  to  the  access  structure  Ap  ,n  : 

1.  Use  the  polynomial  a(i )  =  k+aii  + .  . .  +  am_iim_1  to  compute  the  shares  Si  of  k,  and  send  Si  to  the  corresponding 
i  £  P  over  private  channels. 

2.  Use  generator  g  to  compute  gk,gai  . . .  and  send  them  to  alii  €  P  over  the  broadcast  channel. 

3.  For  each  i  £  P,  verify  that: 


=  9k  n  (sa 


If  the  condition  holds,  i  broadcasts  a  “commit”  message.  Otherwise,  i  broadcasts  an  “abort”  message. 

4.  If  alii  £  P  agree  to  commit,  each  i  stores  s%  and  gk .  Otherwise,  they  abort  the  protocol. 

REDIST:  To  redistribute  k  £  hv  from  an  Ap''"1  to  A ^  ,n  J  access  structure,  using  the  authorized  subset  A  £  A(™'"'>: 

1.  For  each  i  £  A,  use  the  polynomial  a'fij)  =  Si  +  a' t  j  +  . . .  +  a'nm.'  _i)jrn  _1  to  compute  the  subshares  Sij  of  Si, 
and  send  Sij  to  the  corresponding  j  £  P'  over  private  channels. 

2.  For  each  i  £  A,  use  g  to  compute  gai,gail  . . .  ga'i(.™1-1) ,  and  send  them  and  gk  to  all  j  G  P'  over  the  broadcast 
channel. 

3.  For  each  j  £  P' ,  verify  that: 


m  —  1 

Vi  e  A  :  g =  g-  ][  (g<i/ 
1  =  1 

and: 


9k  =  H(ga')bi  where  b,t  =  ]J  — — 

i€A  igA\{i}  V  ’ 

If  the  conditions  hold,  j  broadcasts  a  “commit”  message.  Otherwise,  j  broadcasts  an  “abort”  message. 

4.  If  all  j  £  P'  agree  to  commit,  each  j  generates  a  new  share  s'-: 


Sj  —  ^2  biSij 
ieA 


where 


b>=  n 


l 


and  stores  s'j  and  gk.  Otherwise,  they  abort  the  protocol. 


Figure  4:  Protocol  for  the  verifiable  redistribution  of  shares  for  Shamir’s  threshold  sharing  scheme. 


We  define  a  NEW-SHARES-VALID  condition,  which  holds  if  new  shareholders  have  valid  shares  of  the 
secret.  We  prove  in  Section  fO| that  NEW-SHARES-VALID  holds  if  SHARES-VALID  and  SUBSHARES-VALID 
hold.  The  definition  of  NEW-SHARES-VALID  follows  from  Equation  (£])  for  a  secret  distributed  to  Api  ^ 

NEW-SHARES-VALID: 

VA'  €  A(p?''n''>  :  k  =  J2j£A'  b'js'j 

We  use  Feldman’s  VSS  scheme  [lh'elH71]  to  verify  that  SUBSHARES-VALID  holds.  Each  i  e  A  broadcasts 
commitments  to  its  share  and  the  coefficients  of  «'(j)  (gSi  and  ga‘ 1  ...  r/ 1 ) ),  which  each  j  uses  to  verify 
the  validity  of  §ij  (Redist  step  2). 
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To  allow  the  new  shareholders  to  verify  that  SHARES-VALID  holds,  which  together  with  SUBSHARES- 
VALID  verities  that  NEW-SHARES-VALID  holds,  the  old  shareholders  in  our  protocol  broadcast  a  commit¬ 
ment  to  the  original  secret.  Each  i  E  A  therefore  stores  gk  (received  during  Initial)  and  later  broadcasts 
it  to  all  j  E  P' .  Recall  that  each  j  receives  gSi  from  each  i  to  verify  that  SUBSHARES-VALID  holds.  Once 
each  j  receives  gk,  it  verifies  that  .s,  is  a  valid  share  of  k: 

gk  =  J\gbiSi  (5) 

i£A 

Equation  (g)  follows  from  Equation  ([!])  and  the  homomorphic  properties  of  exponentiation.  Assuming  that 
the  computation  of  discrete  logs  is  intractable,  no  j  can  learn  k  from  gk . 

4.1  Discussion 

The  key  insight  in  our  VSR  protocol  is  that  a  naive  extension  of  Desmedt  and  Jajodia’s  protocol  with 
Feldman’s  VSS  scheme  [1D.I97I.  Fel87]  does  not  in  itself  allow  the  new  shareholders  to  verify  that  NEW- 
SHARES-VALID  holds.  The  difficulty  arises  because  the  VSS  scheme  only  verifies  that  SUBSHARES-VALID 
holds,  which  in  the  absence  of  SHARES-VALID  is  insufficient  to  verify  that  NEW-SHARES-VALID  holds. 
Although  Desmedt  and  Jajodia  claim  that  the  linear  properties  of  their  protocol  and  the  VSS  scheme  ensure 
that  each  new  shareholder  j  generates  valid  shares,  they  implicitly  assume  that  each  shareholder  i  E  A 
distributes  subshares  of  valid  share  Sj.  The  VSS  scheme  only  allows  i  to  prove  that  it  distributed  valid 
subshares  of  some  value.  However,  i  may  have  distributed  “subshares”  of  some  random  value  instead  of 
subshares  of  sl.  The  same  difficulty  exists  if  one  extends  Desmedt  and  Jajodia’s  protocol  with  Pedersen’s 
VSS  scheme  [IPed9 ilj  in  the  same  simple  manner. 

Our  insight  also  applies  to  the  proactive  scheme  presented  by  Frankel  et  al.  |l(i.MY97a|.  Their  veri¬ 
fication  checks  ensure  that  both  SUBSHARES-VALID  and  SHARES-VALID  hold  during  redistribution  to  the 
same  set  of  shareholders.  However,  during  redistribution  to  new  shareholders,  their  checks  only  ensure  that 
SUBSHARES-VALID  holds.  Their-  “proper  secret”  check  does  not  ensure  that  SHARES-VALID  holds  because 
it  relies  on  a  “witness”  (gSl  L~  in  their  paper)  computed  from  information  distributed  in  the  preceding  round. 
A  faulty  shareholder  can  thus  distribute  spurious  information  to  the  new  shareholders  and  ultimately  cause 
them  to  accept  a  false  witness  value. 

To  allow  new  shareholders  to  verify  that  both  SHARES-VALID  and  SUBSHARES-VALID  hold,  which  are 
sufficient  to  guarantee  that  NEW-SHARES-VALID  holds,  additional  information  tying  the  shares  back  to  the 
original  secret  must  be  passed  to  the  new  shareholders.  In  our  protocol,  this  information  is  the  commitment 
to  the  original  secret,  gk .  Each  old  shareholder  participating  in  the  redistribution  broadcasts  gk  to  the  new 
shareholders.  Then  gk  is  used  to  check  that  SHARES-VALID  holds  (Equation  (|j)). 

We  could  augment  Frankel’s  PSS  scheme  in  the  same  way.  Each  old  shareholder  could  pass  a  commit¬ 
ment  to  the  original  private  key,  gd,  to  the  new  shareholders,  who  then  verify  that 

9d  =  9P  II  ffSi2i’A  (mod  n) 

ie  A 

holds,  where  Si  are  shares,  and  P,  Zj^.\  are  publicly  computable  (see  page  5  of  their  paper). 

As  an  alternative  to  broadcasting  the  commitment  to  the  original  secret,  gk,  each  shareholder  could 
retain  and  broadcast  the  commitments  to  all  shares,  gSl  ...  gSm.  This  would  also  allow  new  shareholders  to 
verify  that  SHARES-VALID  holds.  Any  discrepancy  in  the  commitment  values  would  indicate  the  presence 
of  faulty  shareholders.  We  choose  to  use  gk  for  efficiency  reasons. 


4.2  Detecting  faulty  shareholders 

During  redistribution  from  an  Apl'n^  to  A(p,'  }  access  structure  with  our  VSR  protocol,  we  assume  that 

at  least  m  of  the  n  shareholders  in  P  and  all  n!  of  the  shareholders  in  P'  are  non-faulty,  and  that  up  to 
m—  1  shareholders  in  P  may  be  faulty.  We  denote  faulty  shareholders,  and  the  values  they  distribute,  with 
over-bars.  A  non-faulty  shareholder  i  E  P  distributes  valid  subshares  S{j  of  its  share  s.,  to  all  shareholders 
j  E  P'  and  broadcasts  gk  coiTesponding  to  secret  k  E  Zp.  A  faulty  shareholder  i  E  P  may  distribute  invalid 
subshares  s  -  or  broadcast  gk  not  corresponding  to  k. 

In  order  to  check  that  the  verification  conditions  hold,  we  require  that  certain  information  be  made  avail¬ 
able  to  the  new  shareholders.  In  the  redistribution  protocol  of  Desmedt  and  Jajodia  [11  ).I971J.  this  information 
is  commitments  gk,  gSi,  and  g"' 1  ...  ga>(>"-' ) .  In  the  PSS  scheme  of  Frankel  et  al.  |IKiM  YhTaif  this  infor¬ 
mation  is  the  value  gSiIj2  and  gd.  In  the  absence  of  a  trusted  information  repository,  the  new  members  must 
rely  on  the  old  shareholders  to  deliver  this  information.  It  is  this  process  that  proves  to  be  problematic  for 
the  pinpoint  identification  of  faulty  shareholders. 

Consider  redistribution  from  Ap  ’  to  Ap,  ’  .  Assume  that  we  start  with  a  random  authorized  subset 

A  E  Apl'"\  and  recall  that  ,4j  =  m.  It  is  possible  that  some  subset  of  the  old  shareholders  in  A  (at  most 

m  —  1)  are  faulty,  and  will  attempt  to  broadcast  gk  and  s--.  If  the  faulty  shareholders  conspire  to  broadcast 

the  same  gk,  the  new  shareholders  will  detect  the  discrepancy  in  the  to  broadcast  values,  but  cannot  pinpoint 
the  faulty  shareholders.  The  new  shareholders  cannot  use  majority  voting  since  the  majority  of  the  old 
shareholders  in  A  may  be  faulty. 

Assuming  that  up  to  to— 1  shareholders  may  be  faulty,  any  randomly  selected  authorized  subset  of  to  old 
shareholders  must  contain  at  least  one  non-faulty  shareholder.  If  the  new  shareholders  detect  discrepancies  in 
the  commitments  broadcast  by  the  old  shareholders,  they  can  restart  the  redistribution  protocol  with  another 
authorized  subset  until  all  values  are  consistent  and  all  verification  conditions  hold.  For  AP’n\  the  number 
of  times  we  must  restart  the  redistribution  protocol  is  bounded  in  the  worst  case  by 

f  n\  [n  —  m+  l\  v-^1  ( m\  (n  —  m  +  l\  ... 

UM  ™  rSl-A  •»-  )  <6) 

which  is  simply  the  number  of  sets  of  size  m  containing  at  least  one  faulty  shareholder. 

The  requirement  that  all  n'  shareholders  in  P'  are  non-faulty  is  reasonable  if  we  view  the  purpose  of 
our  VSR  protocol  as  one  of  detecting  faulty  behavior  by  shareholders  in  P.  This  is  analogous  to  one  of 
the  assumptions  underlying  Feldman’s  VSS  scheme  in  which  the  shareholders  are  implicitly  trusted  to  store 
valid  shares  (and  reject  invalid  shares)  of  a  secret. 


4.3  Computational  cost 


The  computational  cost  for  each  new  shareholder  of  verification  in  our  VSR  protocol  (Redist  Step  3  in 
Figure  |])  is  O(rnni'  )  multiplications  and  O (mm/)  exponentiations,  exclusive  of  the  cost  of  computing  the 


commitments.  Consider  redistribution  from  an  A 


(m,n) 


to  A 


(m'  ,n') 
P' 


access  structure.  Each  new  shareholder 


j  E  P'  performs  to— 1  multiplications  {A  E  Aipt'r'h  .4|  =  to)  and  to  exponentiations  to  verify  that  SHARES- 
VALID  holds  (Equation  (Q)),  for  a  total  cost  of  O(m);  we  do  not  include  the  (small)  cost  of  computing  the 
powers  of  i.  Each  j  also  performs  m'  —  1  multiplications  ( A '  E  Ap>',  |,4'|  =  m')  and  m!  —  1  exponentiations 
for  m  old  shareholders  i  E  A  to  verify  that  SUBSHARES-VALID  holds  (Equation  ([[])),  for  a  total  cost  of 
O (mm/).  Thus,  the  total  cost  for  each  j  to  verify  that  both  conditions  hold  is  O(rnm')  multiplications 
and  O {mm')  exponentiations,  exclusive  of  the  cost  of  computing  the  commitments.  In  the  worst  case,  the 
number  of  times  we  must  restart  the  redistribution  protocol  is  bounded  by  Equation  ([]). 
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4.4  Generalization  to  linear  threshold  sharing  schemes 

We  can  generalize  our  VSR  protocol  for  application  to  linear  threshold  sharing  schemes  other  than  Shamir's 
scheme  |E5a29i|.  Let  K  denote  the  secret  set,  and  S,  the  share  value  set  for  shareholder  i.  Suppose  we  have 
distributed  shares  of  a  secret  k  E  K  with  a  linear  scheme  to  the  access  structure  A.  k  is  then  a  linear 
combination  of  the  shares  st  E  Si  of  i  in  an  authorized  subset  A  E  A: 


k = y^v nisi) 

iGA 


where  ft  is  a  homomoiphism  from  Si  to  K. 

For  the  general  case,  we  require  a  homomorphic  commitment  function  C(x )  that  is  hard  to  invert.  We 
also  require  that  there  exist  reliable  broadcast  channels  among  all  participants  and  private  channels  between 
every  pah-  of  participants.  We  then  use  the  general  form  of  Feldman’s  VSS  scheme  [!Fel871]  to  verify  that 
SUBSHARES-VALID  holds,  and 


m  =  uc(Ms,)) 

iGA 


to  verify  that  SHARES-VALID  holds. 


4.5  Proof  of  correctness 

We  prove  that  NEW-SHARES-VALID  holds  after  redistribution  if  SHARES-VALID  and  SUBSHARES-VALID 
hold.  We  also  show  that  Equations  ([!])  and  (|5|)  verify  that  SUBSHARES-VALID  and  SHARES-VALID  hold. 


Lemma  1  SUBSHARES-VALID  holds  if  Equation  (@)  holds. 
PROOF:  Proved  by  Feldman  [IFel87l].  □ 


Lemma  2  SHARES-VALID  holds  if  Equation  ([5])  holds. 

PROOF:  Assume  that  Equation  (0)  holds.  It  then  follows  that  SHARES-VALID  holds  from  Equation  (0)  and 
the  homomorphic  properties  of  exponentiation.  □ 


Theorem  1  (VSR  correctness)  For  the  verifiable  redistribution  of  shares  of  a  secret  from  an  A'pUn>  to 
Ap,  ’  J  access  structure  for  Shamir's  threshold  sharing  scheme  [Sha79],  for  all  secrets  k  E  and  for 

all  authorized  subsets  A  E  A !pl,n\  A1  E  dp"  \  NEW-SHARES-VALID  holds  after  redistribution  ofk  with 
the  VSR  protocol  if  SHARES-VALID  and  SUBSHARES-VALID  hold. 

Proof:  Assume  that  both  shares-valid  and  subshares-valid  hold.  Then: 
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=  ^2  Mi  (SHARES-VALID) 


iGA 


=  E  h-  E  f/r 

i&A  \  je A' 


(subshares-valid) 


—  EE 

(, x(y  +  z)  =  xy  +  xz) 

i&Aj&A' 

=  EE  tyiHSij 

H 

II 

i&Aj&A' 

=  EE^*^ 

(x  +  y  =  y  +  x) 

jeA'  iGA 

=  E  ( b'j  E  bi§v  J  ( xy  +  xz  =  x(y  + z )) 

jeA1  V  zga  / 

=  E  (Equation  (@)) 

jGA' 


□ 


Our  correctness  proof  mirrors  that  for  Desmedt  and  Jajodia’s  secret  redistribution  protocol  [ID.I97I]. 


4.6  Proof  of  security 

We  prove  that  an  adversary  cannot  reconstruct  a  secret  from  a  combination  of  shares  distributed  with 
Shamir’s  scheme  to  an  Wpl">  access  structure  and  shares  distributed  to  an  Ap "  1  access  structure.  In 
particular,  we  show  that  an  adversary  who  has  obtained  m  —  1  old  shares  and  m!  —  1  new  shares  of  a  secret 
k  cannot  reconstruct  k  (it  then  trivially  follows  that  an  adversary  with  less  than  m  —  1  old  shares  and  less 
than  m!  —  1  new  shares  cannot  reconstruct  k).  In  the  proof,  we  make  use  of  lemmas  from  linear  algebra 
(summarized  in  Appendix  |A|). 


Theorem  2  (VSR  security)  For  the  verifiable  redistribution  of  shares  of  a  secret  from  an  Ap1"'1  to  Alp!  1 
access  structure  for  Shamir’s  threshold  sharing  scheme  IlSha/W].  and  for  all  secrets  k  £  Zp,  the  shares  Si  of 
shareholders  i  in  any  non-authorized  subset  A  (f  Ap1'^  cannot  be  used  with  the  shares  s'  of  shareholders 


j  in  any  non-authorized  subset  A  f.  A 


-j'  A  A(m',n') 


to  uniquely  determine  k. 


PROOF:  Assume  there  is  a  unique  solution  for  k  from  the  shares  of  shareholders  in  A  and  A' ,  where  .4  = 
m— 1  and  A  =  m!  —  1.  We  show  that  this  assumption  leads  to  a  contradiction.  Suppose  that  we  have  s,;  of 
i  G  4  and  s'  of  j  G  A .  We  use  Equation  ([!])  to  construct  the  system  of  equations 
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'I 

1 

2.m—  ^ 

0 

0 

Si 

1 

i 

im~i 

k 

Si 

ai 

1 

( to  —  1) 

/  1\m— 1 

•  (to  —  1) 

0 

0 

^m—  1 

1 

0 

0 

1 

j^m/  —  1 

Um—  1 
/ 

s[ 

ai 

1 

J 

1 

j 

j171'-1 

.a'm'- 1. 

S3 

1 

/ 

_1 

0 

0 

(to'  —  1) 

(m'  - 

Let  M  denote  the  left-hand  matrix  in  Equation  (0).  a  the  coefficient  vector  k,  a\  ...  a/m,_1,  and  s  the 
share  vector.  The  maximum  possible  value  for  rank(M)  is  the  number  of  rows  (m+m'  —  2,  by  Lemma  ||  in 
Appendix  |A]),  which  is  less  than  the  number  of  values  in  a  (m+m'— 1).  Also,  rank(M)  =  rank([M|s])  since 
s  is  a  linear  combination  of  the  columns  of  M  (by  the  method  of  share  generation).  Thus,  we  have  infinitely 
many  solutions  for  a  in  Equation  (0)  (by  Lemma  in  Appendix  |A|).  We  arrive  at  the  same  conclusion  with 
any  A  ^  Ap n,n^  such  that  |A|  <  m  — 1,  and  any  X  ^  Xp/  ^  such  that  \X\  <  m!  —  1. 

Assuming  that  there  is  a  unique  solution  for  k,  we  can  re-write  Equation  ([7J)  as 


■  i 

2m_  ^ 

0 

0 

Si  —  k 

i 

im~x 

ai 

Si  -  k 

( to  —  1) 

/  i\m-l 

•  (to  -  1) 

0 

0 

Um—  1 

1 

7 

s 

CO 

0 

0 

1 

j^m'  —  1 

ai 

1  . 

"co 

j 

jm~1 

Xm'-l. 

s'  -  k 

o 

0 

(to'  —  1) 

(to'  - 

Xm’-l  -  k- 

Let  Mk  denote  the  left-hand  matrix  in  Equation  (|8|),  and  ak  the  coefficient  vector  ai  ...  a'n,_ , .  Let 
M^l  and  M^r  denote  the  upper-left  and  lower-right  square  sub-matrices  of  Mk, 


’  1 

1 

!  -j  “ 

-j^m  —1 

% 

im~ 1 

and  M£r  = 

j 

jm'- 1 

(to  —  1)  •  •  • 

(  \771—  1 

[m  —  1) 

(to'  —  1) 

■  k  - 1  r'-1 

We  can  express  det(MRL)  as 
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det(MRL)  =  1  •  •  •  i  •  •  •  (to  —  1) 


(to  —  1) 


i  m— 2 


(to  l)r 


Since  the  rightmost  term  for  det(M^L)  is  a  non- zero  Vandermonde  determinant  (all  of  its  elements  are 
non-zero  and  pair-wise  unique),  and  the  factor  1-  •  ■  •( m —  1)  is  also  non-zero,  det(MRL)  is  non-zero; 

likewise,  det(M^R)  is  non-zero.  Thus,  det(Mk)  is  non-zero  since  it  is  simply  the  product  of  det(M^L) 
and  det(M^R)  (by  Lemma  ^  in  Appendix  |a|). 

If  det(Mk)  is  non-zero,  then  Equation  (|Sj)  has  a  unique  solution  for  (by  Lemma  |5]  in  Appendix  |A|). 
If  Equation  (||)  has  a  unique  solution  for  a^.  then  Equation  ([7])  has  a  unique  solution  for  a  (since  we  know 
k).  But  we  have  already  established  that  we  have  infinitely  many  solutions  for  a,  and  our  assumption  that 
we  have  a  unique  solution  for  k  has  led  to  a  contradiction.  Thus,  we  cannot  uniquely  determine  k  with  the 
shares  of  shareholders  in  A  and  A  .  □ 


5  Summary 

We  have  presented  a  protocol  to  verifiably  redistribute  shares  of  secrets  from  an  (ni.ri)  to  (ni'.ri)  access 
structure  for  Shamir’s  threshold  sharing  scheme.  A  generalization  of  our  protocol  to  linear  sharing  schemes 
is  also  presented.  We  identified  a  vulnerability  in  Desmedt  and  Jajodia’s  redistribution  protocol  and  proved 
that  two  conditions,  SHARES-VALID  and  SUBSHARES-VALID,  are  sufficient  to  guarantee  that  new  share¬ 
holders  have  valid  shares  after  redistribution.  We  also  proved  that  an  adversary  cannot  combine  old  shares 
and  new  shares  to  reconstruct  the  secret,  provided  that  the  adversary  has  less  than  m  old  shares  and  m!  new 
shares.  Our  redistribution  protocol  can  tolerate  up  to  m-1  faulty  old  shareholders  (provided  that  there  are 
at  least  m  non-faulty  old  shareholders). 

In  contrast  to  proactive  secret  sharing  in  which  redistribution  occurs  within  the  same  set  of  shareholders, 
verifiable  secret  redistribution  achieves  flexible  secret  management  through  redistribution  of  shares  to  dif¬ 
ferent  shareholders  with  a  different  access  structure.  We  identified  that  additional  verification  information 
must  be  passed  to  successive  sets  of  shareholders.  We  pointed  out  that  identification  and  removal  of  faulty 
shareholders  is  not  immediately  possible  if  the  new  members  must  rely  on  the  old  shareholders  to  distribute 
verification  information.  In  the  worst  case,  the  number  of  times  we  must  restart  the  redistribution  protocol 
to  eliminate  faulty  shareholders  is  bounded  by  Equation  (|§). 

The  primary  contribution  of  our  work  is  that  in  our  protocol,  new  shareholders  can  verify  the  validity  of 
their  shares  after  redistribution  from  old  to  new  access  structures. 

We  have  implemented  a  simple  prototype  of  our  protocol  that  uses  Castro  and  Liskov’s  Byzantine  fault- 
tolerance  library  for  broadcast  communications  OCGSD,  and  are  currently  incorporating  the  protocol  into  a 
survivable  storage  system  |  WBS+00.  WBP+0ll]  to  evaluate  its  performance  costs. 
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A  Linear  algebra  lemmas 


To  complete  the  security  proof,  we  require  some  lemmas  (presented  by  Beaumont  [IRea651]  and  Kostrikin 
[IKosM'ilJ)  for  systems  of  u  linear  equations  in  v  unknowns  of  the  form 


muxi  +  mi2X2  +  •  •  •  +  m\vxv  =  b\ 
rri2ixi  +  m22X’2  +  ■  •  ■  +  m2vxv  =  b2 


muixi  +  mu2X2  +  ■  ■  ■  +  muvxv  =  b2 

Let  M  and  x  denote  the  coefficient  matrix  and  unknown  vector 


mn  • 

•  miv 

Xl 

2/1 

,  X  = 

,  y  = 

_mu  i  • 

TYluv 

_xv_ 

JJu_ 

let  [M|y]  denote  the  augmented  matrix 


[M|y] 


mn 


mu  i 


m\v  y  i 

Vu 


let  rank(M)  denote  the  rank  of  M  (number  of  linearly  independent  columns  in  M),  and  let  det(M)  denote 
the  determinant  of  M. 

Lemma  3  rank(M)  =  rank(MT). 

Lemma  4  (Kronecker-Capelli  theorem)  If  (and  only  if)  rank(M)  =  rank([M|y]),  then  Equation  (Q)  has 
a  solution  for  x.  Furthermore,  //'rank(M)  <  v,  then  Equation  (Q)  has  infinitely  many  solutions  for  x. 

Lemma  5  (Cramer’s  rule)  Ifu  =  v  and  det(M)  f  0,  then  Equation  (^)  has  a  unique  solution  for  x. 

Lemma  6  For  u  X  u  matrix  A,  v  x  v  matrix  B,  and  u  x  v  matrix  C: 


det 


A 

0 


=  det(A)  det(B) 


PROOF:  Presented  by  Kostrikin  [IKosK'ilJ.  □ 
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